• I make websites
  • If someone is banned twice (two accounts) I want it to take them more than 5min and a VPN to make a 3rd account
  • I’m okay with extreme solutions, like requiring everyone to have a Yubikey-or-similar physical key
  • I really hate the trend of relying on a phone number or Google capcha as a not-a-bot detection. Both have tons of problems
  • but spam (automated account creation) is a real problem

What kind of auth should I use for my websites?

  • jeffhykin@lemm.eeOP
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    8 months ago

    [TOTP] Simple to setup / create, doesn’t depend on 3rd party …

    Actually I’m worried its a bit TOO easy to create. I don’t need a bulletproof/airtight system but what’s stopping highschooler from installing bluestacks, downloading the AUTH app, and then handling 10,000 TOTP requests for different bot accounts.

    • TCB13@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      8 months ago

      First, that would be a very targeted attack and the typical bots won’t have provisions for a forced TOTP on the first login + account deletion after 5 days if no TOTP is setup.

      Second you can make things harder, TOTP should be combines with other anti-burteforce measures, restrict the number of registration on an IP address, add delays here and there to make it annoying etc.